Skip to content

Managing users via Directory Synchronization

Attention

This feature currently requires a user with System Administrator privileges. It will become available for other privilege levels in a later release.

ad-connect users from a local user directory can be integrated seamlessly into Kopano Cloud.

Create new sync configuration

A synchronisation configuration defines how the system should synchronise directory information, such as users from an external source, an Active Directory or an LDAP server. To identify a new set of synchronisation configuration settings, start by selecting a name. It is recommended that you choose something unique, such as the name of the synchronisation server.

To add a new synchronisation configuration, please follow the instruction shown below, and on your screen:

Add new synchronization configuration
Adding new synchronization configuration

After inputting all settings, please click on Add synchonization. This will prompt the system to present you both with the Application ID and Secret Token.

Important

Please take note of the secret, as it will only be shown once.

Synchronization configuration overview
Synchronization configuration overview

The synchronisation configuration overview page shown below, provides you a download link for ad-connect, and is able to show whether a client is currently connected or not. The client download archive contains a binary, which includes a sample configuration and a readme file, containing further instructions.

Synchronization configuration settings
Synchronization configuration settings

Configuring ad-connect

To configure ad-connect, please modify the example adc.yaml, to match your environment. An example of this, is shown below:

settings:
  dry-run: true
  no-update: false
  no-create: false
  no-delete: false
  delete-disables: true
  no-update-provider-mismatch: true
  create-as-disabled: false

backend:
  ldap:
    addr: ldap://your-ldap-server.local
    bind_dn: cn=readonly,dc=lg,dc=local
    bind_password: readonly
    base_dn: dc=lg,dc=local
    scope: sub

    sync:
      page_size: 20
      filter: (objectClass=inetOrgPerson)

    authentication:
      username_attribute: mail
      username_filter_template: (&(objectClass=inetOrgPerson)(mail=%s))
      timeout: 5

A note regarding the settings part in adc.yaml

As defined in the synchronization configuration settings, it is possible to define these settings both on the server, and client side. If the configuration contains values that conflict with one another, the server will override the client's settings. (e.g. If the server only allows dry runs, the client will unable to import users into the server)

Running ad-connect

ad-connect has two modes of operation. 1. When called with the imp parameter, it imports users from the configured LDAP source. 2. When called with the run parameter it connects to Kopano Cloud.

When password delegation is enabled, the client is required to be connected at all times, to allow users to sign in.

Systemd service setup example

To run ad-connect with systemd, there are a few requirements.

First you need to create a new service configuration file called adc.cfg, and save it in /etc/e4a-ad-connect.

The adc.cfg file needs to contain the following:

AD_CONNECT_ADDR=address-of-server:443
AD_CONNECT_AUTH=application-id:secret-token
AD_CONNECT_CONFIG=/etc/e4a-ad-connect/adc.yaml

To create the actual service:

  1. run sudo systemctl edit --force --full systeminfo.service
  2. Then add the following content to the service file:
[Unit]
Description=ad-connect
After=network.target

[Service]
Type=simple
User=nobody
Group=nogroup
WorkingDirectory=/etc/e4a-ad-connect
ExecStart=/usr/local/bin/adc run
EnvironmentFile=/etc/e4a-ad-connect/adc.cfg
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
Restart=always
RestartSec=10
TimeoutStopSec=30
KillMode=process

[Install]
WantedBy=multi-user.target

Note

Installers for Windows and Linux systems and an OCI container, will be made available in a later release.

What kind of information can I import with ad-connect?

By default, ad-connect with use the following attributes when creating/updating a user:

  • cn or displayname
  • title
  • description
  • mobile
  • telephonenumber
  • mail

When in the Directory Synchronization Settings the option Sync aliases when users are created, updated or deleted is unchecked, the ldap mail attribute needs to be unique.

Anchor attribute

The anchor attribute can be modified in the "synchronization configuration settings". The anchor attribute defines which attribute should be used as the unique property of a user. If the unique property is a valid email address, then it will be used as such. Otherwise, a domain will be mapped to it depending on the location within the LDAP tree. An example of this can be seen below:

[..]
    domain_map:
      dc=lg,dc=local: ad-connect.local
[..]

Important

The mail attribute has been the anchor attribute on the server side, up until version 6.1.2. From version 6.2.0 onwards the anchor attribute is uid.

Attribute mapping

If important information is stored under another attribute, it is possible, during runtime, to map it to the correct attribute. This can be seen, in the example below. Here the value of kopanoAliases is treated as the mail attribute, remapping its value. 

[..]
    attributes_map:
        kopanoAliases: mail
[..]

Alternatively, it is also possible to transform attributes, when reading data from the LDAP. This is useful when, for example, the LDAP contains a different domain to the name associated with the LDAP attribute.

[..]
    attributes_transformer:
        mail: 's/\(.*\)@.*/\1/'
        attributes_transformer_command: "sed --sandbox -e"
[..]